Problems with port 993 (SSL)

Paul van der Vlis paul at vandervlis.nl
Wed Sep 2 06:56:21 EDT 2015 

Op 02-09-15 om 01:36 schreef Stefan Suurmeijer:
> Hi Paul,
> 
> a fellow Groninger? Then lets try to help ;-)

Nice to know ;-)

> From the OSX v10.11 release notes (released 15-8):
> 
>   * DHE_RSA cipher suites are now disabled by default in Secure
>     Transport for TLS clients. This may cause a failure to connect to
>     TLS servers that only support DHE_RSA cipher suites. Applications
>     that explicitly enable cipher suites using SSLSetEnabledCiphers()
>     are not affected. Safari may display a “Safari can’t establish a
>     secure connection to the server” error page. Safari and other
>     clients of CFNetwork API (NSURLSession, NSURLConnection,
>     CFHTTPStream, CFSocketStream and Cocoa equivalent) will show a
>     “CFNetwork SSLHandshake failed” error in Console.
> 
> 
> Maybe you can use checktls.com to find out which cipher your site uses.
> A very useful site.

Interesting site, but I need more time to understand the tests.

When I use openssl, I get a long timeout after "CONNECTED", and then
something what looklikes there is no certificate available at all:
-----------------
paul at server2:~$ openssl s_client -connect mail.vandervlis.nl:993
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
paul at server2:~$
-----------------

Port 465 (postfix SSL/TLS) has the same problem.

When I use openssl to port 443 what uses the same certificate,
everything is fine. But TLSv1 with DHE-RSA-AES256-SHA cipher is used.
I am using a SHA256 certificate with a 2048 bit public key.

Realize that this has worked for a long time, and so far I know I did
not change anything.

On my new mailserver port 993 (Cyrus 2.4.17) works fine with the same
certificate. (Only tested with openssl.)

> If your site uses a DHE-RSA cipher, you may need to change the
> tls_cipher_list in your imapd.conf

I only accept TLSv1 high-security ciphers:
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH

The problems are not very big, I can tell the people to change port 993
to port 143 in the client, this fixes the problem.
Most people are already using port 143.

With regards,
Paul van der Vlis.

-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

More information about the Info-cyrus mailing list